AAD Adoption - [Discuss] Onboard "Security Solution notification (Legacy)" to alerts as data for a unified alerts architecture #171795
Assignees
Labels
discuss
Feature:Alerting
Team:Detections and Resp
Security Detection Response Team
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
Comments
mikecote
added
discuss
Feature:Alerting
Team:ResponseOps
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/response-ops (Team:ResponseOps) |
github-project-automation
bot
moved this to Awaiting Triage
in AppEx: ResponseOps - Execution & Connectors
|
Note for security solution folks, the streamlining effort is a tentative plan for 8.13 and not certain if we'll move forward with this approach yet. We'll want to have a conversation before starting the work if ever. We are in the early stages of streamlining alerts-as-data. |
heespi
changed the title
mikecote
moved this from Awaiting Triage
to Todo
in AppEx: ResponseOps - Execution & Connectors
ymao1
added a commit
that referenced
this issue
Jan 15, 2024
…ation rule types to write default alerts-as-data docs (#174553) Towards elastic/response-ops-team#164 Resolves #171795 ## Summary * Switches this rule type to use `alertsClient` from alerting framework in favor of the deprecated `alertFactory` * Defines the `default` alert config for these rule types so framework level fields will be written out into the `.alerts-default.alerts-default` index with no rule type specific fields. * Updated some terminology from `alert` to `rule` ## To Verify * Follow the instructions in [this PR](#112869) to add a legacy notification to a detection rule. * Verify the notification fires as expected * Verify an alert document is written to `.alerts-default.alerts-default` that looks like: ``` { "kibana.alert.rule.category": "Security Solution notification (Legacy)", "kibana.alert.rule.consumer": "siem", "kibana.alert.rule.execution.uuid": "cbad59ec-2a6e-4791-81c3-ae0fefd3d48a", "kibana.alert.rule.name": "Legacy notification with one action", "kibana.alert.rule.parameters": { "ruleAlertId": "9c07db42-b5fa-4ef9-8d7e-48d5688fd88e" }, "kibana.alert.rule.producer": "siem", "kibana.alert.rule.rule_type_id": "siem.notifications", "kibana.alert.rule.tags": [], "kibana.alert.rule.uuid": "1869763e-c6e7-47fd-8275-0c9568127d84", "kibana.space_ids": [ "default" ], "@timestamp": "2024-01-10T18:12:02.433Z", "event.action": "close", "event.kind": "signal", "kibana.alert.action_group": "recovered", "kibana.alert.flapping_history": [ true, true, false, false ], "kibana.alert.instance.id": "1869763e-c6e7-47fd-8275-0c9568127d84", "kibana.alert.maintenance_window_ids": [], "kibana.alert.status": "recovered", "kibana.alert.uuid": "119269e0-a767-43c9-b383-a8840b4dddd5", "kibana.alert.workflow_status": "open", "kibana.alert.start": "2024-01-10T18:08:53.373Z", "kibana.alert.time_range": { "gte": "2024-01-10T18:08:53.373Z", "lte": "2024-01-10T18:09:56.367Z" }, "kibana.version": "8.13.0", "tags": [], "kibana.alert.duration.us": 62994000, "kibana.alert.end": "2024-01-10T18:09:56.367Z", "kibana.alert.rule.revision": 0, "kibana.alert.flapping": false } ``` --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
github-project-automation
bot
moved this from Todo
to Done
in AppEx: ResponseOps - Execution & Connectors
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm opening this discuss issue to explore the idea of onboarding
Security Solution notification (Legacy)to persist alerts-as-data documents. This is necessary to enable a unified architecture in the alerting framework so we have all rule types utilizing alerts-as-data. This is important as we start relying more and more on the persisted alerts-as-data documents to enable framework capabilities without requiring conditional checks / code forks on whether or not the rule type persists AAD documents.This issue is a bit controversial given the
Security Solution notification (Legacy)rule is deprecated and we're trying to remove it. However, it is also blocking architectural advancements that rely solely on alerts-as-data (cleaning up code forks, new capabilities tied to AAD like summaries and maintenance windows, etc).If we move forward with this, we should consider storing these alerts into a default index that isn't visible in the security solution and doesn't have any special mappings. This would at least help have all rule types persist alerts-as-data documents, have a unified architecture while including special handling in the UX to hide these alerts.
The text was updated successfully, but these errors were encountered: